Similarity testing for access control

Bertolino, A.; Daoudagh, S.; El Kateb, Donia; Henard, Christopher; Le Traon, Yves; Lonetti, F.; Marchetti, E.; Mouelhi, T.; Papadakis, Mike

doi:10.1016/j.infsof.2014.07.003

Reference : Similarity testing for access control


	Document type :	Scientific journals : Article
	Discipline(s) :	Engineering, computing & technology : Computer science
	To cite this reference:	http://hdl.handle.net/10993/26426

Title :	Similarity testing for access control
Language :	English
Author, co-author :	Bertolino, A. [Istituto di Scienza e Tecnologie dell'Informazione A. Faedo, Consiglio Nazionale Delle Ricerche, via G. Moruzzi 1, Pisa, Italy]
	Daoudagh, S. [Istituto di Scienza e Tecnologie dell'Informazione A. Faedo, Consiglio Nazionale Delle Ricerche, via G. Moruzzi 1, Pisa, Italy]
	El Kateb, Donia [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC)]
	Henard, Christopher [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) >]
	Le Traon, Yves [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)]
	Lonetti, F. [Istituto di Scienza e Tecnologie dell'Informazione A. Faedo, Consiglio Nazionale Delle Ricerche, via G. Moruzzi 1, Pisa, Italy]
	Marchetti, E. [Istituto di Scienza e Tecnologie dell'Informazione A. Faedo, Consiglio Nazionale Delle Ricerche, via G. Moruzzi 1, Pisa, Italy]
	Mouelhi, T. [Interdisciplinary Research Centre, SnT, University of Luxembourg, Luxembourg, Luxembourg]
	Papadakis, Mike [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)]
Publication date :	2015
Journal title :	Information and Software Technology
Publisher :	Elsevier
Volume :	58
Pages :	355-372
Peer reviewed :	Yes (verified by ORBi^lu)
Audience :	International
ISSN :	09505849
Keywords :	[en] Security policies ; Similarity ; Test prioritization ; Budget control ; Fault detection ; Testing ; Access control policies ; Exhaustive testing ; Mutation analysis ; Security mechanism ; Security policy ; Similarity criteria ; Access control
Abstract :	[en] Context: Access control is among the most important security mechanisms, and XACML is the de facto standard for specifying, storing and deploying access control policies. Since it is critical that enforced policies are correct, policy testing must be performed in an effective way to identify potential security flaws and bugs. In practice, exhaustive testing is impossible due to budget constraints. Therefore the tests need to be prioritized so that resources are focused on their most relevant subset. Objective: This paper tackles the issue of access control test prioritization. It proposes a new approach for access control test prioritization that relies on similarity. Method: The approach has been applied to several policies and the results have been compared to random prioritization (as a baseline). To assess the different prioritization criteria, we use mutation analysis and compute the mutation scores reached by each criterion. This helps assessing the rate of fault detection. Results: The empirical results indicate that our proposed approach is effective and its rate of fault detection is higher than that of random prioritization. Conclusion: We conclude that prioritization of access control test cases can be usefully based on similarity criteria. © 2014 Elsevier B.V. All rights reserved.
Permalink :	http://hdl.handle.net/10993/26426
DOI :	10.1016/j.infsof.2014.07.003

File(s) associated to this reference

Fulltext file(s):

	File	Commentary	Version	Size	Access
Open access	Similarity testing for access control.pdf		Publisher postprint	2.62 MB	View/Open

All documents in ORBi^lu are protected by a user license.

University of Luxembourg Library | Feedback | Legal notices